D/DoS mitigation hardware/software needed.

Stefan Fouant sfouant at shortestpathfirst.net
Sat Jan 9 08:57:27 CST 2010


> -----Original Message-----
> From: Łukasz Bromirski [mailto:lukasz at bromirski.net]
> Sent: Saturday, January 09, 2010 6:11 AM
> 
> You mean Juniper SRX? The biggest box is a 5800, and it can handle
> up to 350k new sessions each second, up to maximum of 10 million
> (let's skip the fact that it's not that simple as it would look from
> the data sheet and there are major obstacles from reaching the
> numbers).

With all due respect, I've been playing with the high end SRXs lately and I
have to say I've been incredibly impressed with the performance... I
recently did some performance testing on the SRX 5600s and I was able to
consistently observe it instantiating upwards of 150k new TCP sessions per
second.  Does the SRX have some bugs... sure... that is to be expected with
a box which by all means is still relatively bleeding edge.  I'm fairly
confident given a little time to stabilize the code, they will be able to
fix some of the obstacles you are describing above...

Having said that, I always laugh when I'm working with customers who have
been DoSed and their response is "Well, our firewall/load balancer has DDoS
mitigation capabilities...".  Almost every firewall or load balancer device
I've worked with (Netscreen, SRX, Brocade, Fortinet) that had any sort of
DoS mitigation features was extremely limited in its capability.  Most only
do session-based limiting towards a given destination IP, with the ultimate
result being that they simply rate-limit the traffic towards that
destination.  This in itself ends up completing the attackers goal of
denying service (even if just a subset) towards a given IP.  And these types
of features do nothing to assist with low-level attack traffic which require
surgical mitigation, not to mention a host of other attack vectors.

Firewalls do have their place in DDoS mitigation scenarios, but if used as
the "ultimate" solution you're asking for trouble.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D





More information about the NANOG mailing list